[knot-dns-users] Re: module 'mod-onlinesign/authsignal', incompatible with automatic signing

14 Kvě 2024

Hi Erwin,

The module generates responses online, so you must use online DNSSEC signing, which is
incompatible with
the pre-signing functionality.

You need to remove dnssec-signing (and dnssec-policy) from the default template. Also note
that mod-onlinesign
ignores NSEC3 setting (remove nsec3 from the policy).

Daniel

On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote:
...
  Howdy,

 I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog
article and docs.  However, I’m getting an error for the signalling zones, but I fail to
figure out what I may 
 have overlooked.

 error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module
'mod-onlinesign/authsignal', incompatible with automatic signing

 Relevant knot.conf snippets (in order):

 policy:
    - id: ecc
      algorithm: ecdsap256sha256
      nsec3: on

      rrsig-refresh: 7d

 mod-onlinesign:
   - id: authsignal
     nsec-bitmap: [CDS, CDNSKEY]

     policy: ecc

 template:

    - id: default
 …
      dnssec-signing: on

      dnssec-policy: ecc
 …

 zone:
    - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>

      module: [mod-authsignal, mod-onlinesign/authsignal]

 Any hint appreciated

 Best
 Erwin

 -- 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[knot-dns-users] Re: module 'mod-onlinesign/authsignal', incompatible with automatic signing